Rework mime type white list

src/onegov/agency/forms/agency.py

@@ -16,7 +16,7 @@
 from onegov.form.fields import ChosenSelectField, HtmlField
 from onegov.form.fields import MultiCheckboxField
 from onegov.form.fields import UploadField
-from onegov.form.validators import FileSizeLimit
+from onegov.form.validators import FileSizeLimit, MIME_TYPES_IMAGE
 from onegov.form.validators import WhitelistedMimeType
 from onegov.gis import CoordinatesField
 from sqlalchemy import func
@@ -73,10 +73,7 @@ class ExtendedAgencyForm(Form):
     organigram = UploadField(
         label=_('Organigram'),
         validators=[
-            WhitelistedMimeType({
-                'image/jpeg',
-                'image/png',
-            }),
+            WhitelistedMimeType(MIME_TYPES_IMAGE),
             FileSizeLimit(1 * 1024 * 1024)
         ]
     )

src/onegov/election_day/forms/election.py

@@ -13,7 +13,7 @@
 from onegov.form.fields import ChosenSelectMultipleField
 from onegov.form.fields import PanelField
 from onegov.form.fields import UploadField
-from onegov.form.validators import FileSizeLimit
+from onegov.form.validators import FileSizeLimit, MIME_TYPES_PDF
 from onegov.form.validators import WhitelistedMimeType
 from re import findall
 from sqlalchemy import or_
@@ -323,7 +323,7 @@ class ElectionForm(Form):
     explanations_pdf = UploadField(
         label=_('Explanations (PDF)'),
         validators=[
-            WhitelistedMimeType({'application/pdf'}),
+            WhitelistedMimeType(MIME_TYPES_PDF),
             FileSizeLimit(100 * 1024 * 1024)
         ],
         fieldset=_('Related link')

src/onegov/election_day/forms/election_compound.py

@@ -12,7 +12,7 @@
 from onegov.form.fields import ChosenSelectMultipleField
 from onegov.form.fields import PanelField
 from onegov.form.fields import UploadField
-from onegov.form.validators import FileSizeLimit
+from onegov.form.validators import FileSizeLimit, MIME_TYPES_PDF
 from onegov.form.validators import WhitelistedMimeType
 from re import findall
 from sqlalchemy import or_
@@ -228,7 +228,7 @@ class ElectionCompoundForm(Form):
     explanations_pdf = UploadField(
         label=_('Explanations (PDF)'),
         validators=[
-            WhitelistedMimeType({'application/pdf'}),
+            WhitelistedMimeType(MIME_TYPES_PDF),
             FileSizeLimit(100 * 1024 * 1024)
         ],
         fieldset=_('Related link')
@@ -237,7 +237,7 @@ class ElectionCompoundForm(Form):
     upper_apportionment_pdf = UploadField(
         label=_('Upper apportionment (PDF)'),
         validators=[
-            WhitelistedMimeType({'application/pdf'}),
+            WhitelistedMimeType(MIME_TYPES_PDF),
             FileSizeLimit(100 * 1024 * 1024)
         ],
         fieldset=_('Related link'),
@@ -247,7 +247,7 @@ class ElectionCompoundForm(Form):
     lower_apportionment_pdf = UploadField(
         label=_('Lower apportionment (PDF)'),
         validators=[
-            WhitelistedMimeType({'application/pdf'}),
+            WhitelistedMimeType(MIME_TYPES_PDF),
             FileSizeLimit(100 * 1024 * 1024)
         ],
         fieldset=_('Related link'),

src/onegov/election_day/forms/upload/common.py

@@ -11,8 +11,8 @@
     'text/csv'
 }
 ALLOWED_MIME_TYPES_XML = {
-    'application/xml',
-    'text/xml',
+    'application/xml',  # official, standard
+    'text/xml',  # deprecated MIME type for XML content
     'text/plain'
 }
 

src/onegov/election_day/forms/vote.py

@@ -10,7 +10,7 @@
 from onegov.form.fields import ChosenSelectField
 from onegov.form.fields import PanelField
 from onegov.form.fields import UploadField
-from onegov.form.validators import FileSizeLimit
+from onegov.form.validators import FileSizeLimit, MIME_TYPES_PDF
 from onegov.form.validators import WhitelistedMimeType
 from wtforms.fields import BooleanField
 from wtforms.fields import DateField
@@ -280,7 +280,7 @@ class VoteForm(Form):
     explanations_pdf = UploadField(
         label=_('Explanations (PDF)'),
         validators=[
-            WhitelistedMimeType({'application/pdf'}),
+            WhitelistedMimeType(MIME_TYPES_PDF),
             FileSizeLimit(100 * 1024 * 1024)
         ],
         fieldset=_('Related link')

src/onegov/file/utils.py

@@ -74,15 +74,8 @@ def get_supported_image_mime_types() -> set[str]:
 
     # Not all PIL formats register a mime type, fill in the blanks ourselves.
     supported_types = {
-        'image/bmp',
-        'image/x-bmp',
         'image/x-MS-bmp',
-        'image/x-icon',
-        'image/x-ico',
-        'image/x-win-bitmap',
-        'image/x-pcx',
-        'image/x-portable-pixmap',
-        'image/x-tga'
+        'image/x-xcf',
     }
 
     for mime in Image.MIME.values():

src/onegov/form/fields.py

@@ -20,7 +20,7 @@
 from onegov.file.utils import IMAGE_MIME_TYPES_AND_SVG
 from onegov.form import log, _
 from onegov.form.utils import path_to_filename
-from onegov.form.validators import ValidPhoneNumber
+from onegov.form.validators import ValidPhoneNumber, WhitelistedMimeType
 from onegov.form.widgets import ChosenSelectWidget
 from onegov.form.widgets import LinkPanelWidget
 from onegov.form.widgets import DurationInput
@@ -59,7 +59,7 @@
 if TYPE_CHECKING:
     from collections.abc import Callable, Iterator, Sequence
     from datetime import datetime
-    from onegov.core.types import FileDict as StrictFileDict
+    from onegov.core.types import FileDict as StrictFileDict, LaxFileDict
     from onegov.file import File
     from onegov.form import Form
     from onegov.form.types import (
@@ -261,28 +261,58 @@ class UploadField(FileField):
     file: IO[bytes] | None
     filename: str | None
 
-    if TYPE_CHECKING:
-        def __init__(
-            self,
-            label: str | None = None,
-            validators: Validators[FormT, Self] | None = None,
-            filters: Sequence[Filter] = (),
-            description: str = '',
-            id: str | None = None,
-            default: Sequence[StrictFileDict] = (),
-            widget: Widget[Self] | None = None,
-            render_kw: dict[str, Any] | None = None,
-            name: str | None = None,
-            _form: BaseForm | None = None,
-            _prefix: str = '',
-            _translations: _SupportsGettextAndNgettext | None = None,
-            _meta: DefaultMeta | None = None,
-            # onegov specific kwargs that get popped off
-            *,
-            fieldset: str | None = None,
-            depends_on: Sequence[Any] | None = None,
-            pricing: PricingRules | None = None,
-        ): ...
+    def __init__(
+        self,
+        label: str | None = None,
+        validators: Validators[FormT, Self] | None = None,
+        filters: Sequence[Filter] = (),
+        description: str = '',
+        id: str | None = None,
+        default: LaxFileDict | None = None,
+        widget: Widget[Self] | None = None,
+        render_kw: dict[str, Any] | None = None,
+        name: str | None = None,
+        allowed_mimetypes: Sequence[str] | None = None,
+        _form: BaseForm | None = None,
+        _prefix: str = '',
+        _translations: _SupportsGettextAndNgettext | None = None,
+        _meta: DefaultMeta | None = None,
+        # onegov specific kwargs that get popped off
+        *,
+        fieldset: str | None = None,
+        depends_on: Sequence[Any] | None = None,
+        pricing: PricingRules | None = None,
+    ):
+        validator = (
+            WhitelistedMimeType(allowed_mimetypes)
+            if allowed_mimetypes
+            else WhitelistedMimeType()
+        )
+
+        if validators:
+            validators = list(validators)
+            if not any(isinstance(validator, WhitelistedMimeType)
+                for validator in validators
+            ):
+                validators.append(validator)
+        else:
+            validators = [validator]
+
+        super().__init__(
+            label=label,
+            validators=validators,
+            filters=filters,
+            description=description,
+            id=id,
+            default=default,
+            widget=widget,
+            render_kw=render_kw,
+            name=name,
+            _form=_form,
+            _prefix=_prefix,
+            _translations=_translations,
+            _meta=_meta,
+        )
 
     # this is not quite accurate, since it is either a dictionary with all
     # the keys or none of the keys, which would make type narrowing easier
@@ -461,6 +491,7 @@ def __init__(
         render_kw: dict[str, Any] | None = None,
         name: str | None = None,
         upload_widget: Widget[UploadField] | None = None,
+        allowed_mimetypes: Sequence[str] | None = None,
         _form: BaseForm | None = None,
         _prefix: str = '',
         _translations: _SupportsGettextAndNgettext | None = None,
@@ -479,11 +510,11 @@ def __init__(
 
         # a lot of the arguments we just pass through to the subfield
         unbound_field = self.upload_field_class(
-            validators=validators,  # type:ignore[arg-type]
             filters=filters,
             description=description,
             widget=upload_widget,
             render_kw=render_kw,
+            allowed_mimetypes=allowed_mimetypes,
             **extra_arguments
         )
         super().__init__(
@@ -494,6 +525,7 @@ def __init__(
             id=id,
             default=default,
             widget=widget,  # type:ignore[arg-type]
+            validators=[*(validators or ())],
             render_kw=render_kw,
             name=name,
             _form=_form,